Red Hat Enterprise Linux (RHEL)

Undertow HTTP Request Smuggling via Leading Space Header
CVE-2026-28369 8.7 - High - March 27, 2026

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.

HTTP Request Smuggling

Undertow Request Smuggling via CRCRCR Header Terminator (CVE202628367)
CVE-2026-28367 8.7 - High - March 27, 2026

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

HTTP Request Smuggling

Undertow Header Smuggling via Header Name Misparse
CVE-2026-28368 8.7 - High - March 27, 2026

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

HTTP Request Smuggling

Unprivileged User Can Modify Firewall State via D-Bus in firewalld
CVE-2026-4948 5.5 - Medium - March 27, 2026

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

Incorrect Execution-Assigned Permissions

libssh Denial of Service via Arbitrary File Access during Config Parsing
CVE-2026-0965 - March 26, 2026

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

External Control of File Name or Path

Libssh DoS via regex backtracking in match_pattern with crafted hostnames
CVE-2026-0967 - March 26, 2026

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

ReDoS

libssh SFTP longname NullCheck: Heap OverRead -> DoS
CVE-2026-0968 - March 26, 2026

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

NULL Pointer Dereference

SCP Client Path Traversal Allowing Local File Overwrite (CVE-2026-0964)
CVE-2026-0964 - March 26, 2026

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Directory traversal

OpenSSH ssh_get_hexa Zero-Length Leak Self-DoS via GSSAPI
CVE-2026-0966 - March 26, 2026

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The function is also used internally in the gssapi code for logging the OIDs received by the server during GSSAPI authentication. This could be triggered remotely, when the server allows GSSAPI authentication and logging verbosity is set at least to SSH_LOG_PACKET (3). This could cause self-DoS of the per-connection daemon process.

buffer underrun

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 5.3 - Medium - March 26, 2026

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Access of Uninitialized Pointer

GIMP PSD Heap-BUF-overflow in fread_pascal_string Causes DoS
CVE-2026-2239 2.8 - Low - March 26, 2026

A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread_pascal_string function when processing a specially crafted PSD (Photoshop Document) file. This occurs because the buffer allocated for a Pascal string is not properly null-terminated, leading to an out-of-bounds read when strlen() is subsequently called. Successfully exploiting this vulnerability can cause the application to crash, resulting in an application level Denial of Service.

Improper Null Termination

GIMP ICO Integer Overflow Vulnerability in ico_read_info
CVE-2026-2272 4.3 - Medium - March 26, 2026

A flaw was found in GIMP. An integer overflow vulnerability exists when processing ICO image files, specifically in the `ico_read_info` and `ico_read_icon` functions. This issue arises because a size calculation for image buffers can wrap around due to a 32-bit integer evaluation, allowing oversized image headers to bypass security checks. A remote attacker could exploit this by providing a specially crafted ICO file, leading to a buffer overflow and memory corruption, which may result in an application level denial of service.

Integer Overflow or Wraparound

GIMP PSP Parser Integer Overflow Enables Heap OOB Write & DoS
CVE-2026-2271 3.3 - Low - March 26, 2026

A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker could exploit an integer overflow vulnerability in the read_creator_block() function by providing a specially crafted PSP image file. This vulnerability occurs when a 32-bit length value from the file is used for memory allocation without proper validation, leading to a heap overflow and an out-of-bounds write. Successful exploitation could result in an application level denial of service.

Integer Overflow or Wraparound

Use-After-Free in libsoup SoupServer: TLS crash & DoS
CVE-2026-2436 6.5 - Medium - March 26, 2026

A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service.

Dangling pointer

PolKit setuid helper OOM DoS via long stdin input
CVE-2026-4897 5.5 - Medium - March 26, 2026

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Allocation of Resources Without Limits or Throttling

GIMP PCX Loader Heap Buffer Over-read Causing DoS (CVE-2026-4887)
CVE-2026-4887 6.1 - Medium - March 26, 2026

A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP PCX file loader due to an off-by-one error. A remote attacker could exploit this by convincing a user to open a specially crafted PCX image. Successful exploitation could lead to out-of-bounds memory disclosure and a possible application crash, resulting in a Denial of Service (DoS).

off-by-five

libtiff Signed Integer Overflow OOB Heap Write in putcontig8bitYCbCr44tile
CVE-2026-4775 7.8 - High - March 24, 2026

A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.

Integer Overflow or Wraparound

Undertow DoS via multipart/form-data resource exhaustion
CVE-2026-3260 5.9 - Medium - March 24, 2026

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

Allocation of Resources Without Limits or Throttling

GStreamer OOB Read in gst_wavparse_adtl_chunk()
CVE-2026-1940 5.1 - Medium - March 23, 2026

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.

Out-of-bounds Read

BFD Library XCOFF Relocation Validation Defect DoS
CVE-2026-4647 6.1 - Medium - March 23, 2026

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Out-of-bounds Read

Infinite Loop DoS via Crafted Boolean XPath in antchfx/xpath
CVE-2026-4645 7.5 - High - March 23, 2026

A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system.

Infinite Loop

Negative DataRow Length in pgproto3 Leading to DoS
CVE-2026-4427 7.5 - High - March 19, 2026

A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This input validation vulnerability can lead to a denial of service (DoS) due to a slice bounds out of range panic.

out-of-bounds array index

libsoup Integer Underflow Buffer Overread
CVE-2026-2369 6.5 - Medium - March 19, 2026

A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service.

Integer underflow

UB in libarchive Zisofs Decompressor Enables DoS via Malicious ISO
CVE-2026-4426 6.5 - Medium - March 19, 2026

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

1335

libarchive Heap OOB Read via Craft RAR Archive
CVE-2026-4424 7.5 - High - March 19, 2026

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Out-of-bounds Read

libsoup HTTP/2 UAF Auth Failure & DoS
CVE-2026-4271 5.3 - Medium - March 17, 2026

A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).

Dangling pointer

libsoup CRLF Header Injection via Content-Type Header
CVE-2026-3634 3.9 - Low - March 17, 2026

A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks.

CRLF Injection

CRLF Injection in libsoup's soup_message_new via unescaped method
CVE-2026-3633 3.9 - Low - March 17, 2026

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.

CRLF Injection

libsoup Hostname Validation Flaw Enabling HTTP Smuggling & SSRF
CVE-2026-3632 3.9 - Low - March 17, 2026

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

Improper Validation of Syntactic Correctness of Input

Heap-based Overflow in GNU Binutils BFD Linker (CVE-2026-3441)
CVE-2026-3441 6.1 - Medium - March 15, 2026

A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

Out-of-bounds Read

BufOverflow bfd linker in GNU Binutils CVE-2026-3442
CVE-2026-3442 6.1 - Medium - March 15, 2026

A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

Out-of-bounds Read

Infinite Loop in libarchive RAR5 Decompression causing DoS
CVE-2026-4111 7.5 - High - March 13, 2026

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Infinite Loop

systemd Improper Access Control in D-Bus RegisterMachine
CVE-2026-4105 6.7 - Medium - March 13, 2026

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Authorization

Libsoup Digest Auth Replay Vulnerability (nonce & nc tracking)
CVE-2026-3099 5.8 - Medium - March 12, 2026

A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.

Reusing a Nonce, Key Pair in Encryption

Apache mod_proxy_cluster CRLF Injection (CVE-2026-3234)
CVE-2026-3234 4.3 - Medium - March 12, 2026

A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed.

CRLF Injection

NFSv3 rpc.mountd Privilege Escalation via Directory Bypass (CVE-2025-12801)
CVE-2025-12801 6.5 - Medium - March 04, 2026

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Incorrect Execution-Assigned Permissions

GVfs FTP Backend IP/Port Spoofing Allows Client Port Scanning
CVE-2026-28295 4.3 - Medium - February 26, 2026

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.

SSRF

udisks Unprivileged LUKS Header Backup via D-Bus Policy Check Bypass
CVE-2026-26104 5.5 - Medium - February 25, 2026

A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.

AuthZ

udisks: Unprivileged D-Bus API allows LUKS header overwrite
CVE-2026-26103 7.1 - High - February 25, 2026

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

AuthZ

389-ds-base Heap Buffer Overflow in schema_attr_enum_callback
CVE-2025-14905 7.2 - High - February 23, 2026

A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

Heap-based Buffer Overflow

QEMU VMDK OOB Read Leak or DoS
CVE-2026-2243 5.1 - Medium - February 19, 2026

A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

Out-of-bounds Read

QEMU KVM Xen Guest Off-By-One heap OOB access in Xen physdev
CVE-2026-0665 6.5 - Medium - February 18, 2026

An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

Memory Corruption

QEMU uefi-vars Buffer Size vs Transfer I/O Info Leak
CVE-2025-8860 3.3 - Low - February 18, 2026

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Improper Removal of Sensitive Information Before Storage or Transfer

QEMU virtio-crypto AKCIPHER DoS via unchecked memory allocation
CVE-2025-14876 5.5 - Medium - February 18, 2026

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

Allocation of Resources Without Limits or Throttling

Fedora Linux: Kernel Lockdown Disabled, Unsigned Module Loading
CVE-2025-1272 7.7 - High - February 18, 2026

The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. Additionally unsigned modules can be loaded, leading to execution of untrusted code breaking breaking any Secure Boot protection. This vulnerability affects only Fedora Linux.

glibc Insufficient Entropy via getrandom/arc4random After Fork
CVE-2025-0577 4.8 - Medium - February 18, 2026

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.

Insufficient Entropy

libsoup HTTP Range Header flaw may read arbitrary memory
CVE-2026-2443 5.3 - Medium - February 13, 2026

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.

Out-of-bounds Read

BusyBox Tar Extraction Hardlink/Symlink Escalation Vulnerability
CVE-2026-26158 7 - High - February 11, 2026

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

External Control of File Name or Path

BusyBox: Archive Utils Path Traversal Enables Arbitrary File Overwrite
CVE-2026-26157 7 - High - February 11, 2026

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

External Control of File Name or Path

GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 5.3 - Medium - February 09, 2026

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Inefficient Algorithmic Complexity